Hi Rafael, If you don't want an alert if the log matches a string, just set the severity to 0. For example:
<rule id="100456" level="0"> <if_sid>xyz</if_sid> <match>testing this rule</match> </rule> It accomplishes the same thing as the negation. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jul 10, 2009 at 3:42 PM, Rafael Gomes<[email protected]> wrote: > > Hi, > > I wanna modify a rule to don't get a alert that match with testing this > rule (for exemple) > > I should put this in the rule: > > <match>!testing this rule</match> > > Correct? > > Thanks! > -- > Rafael Brito Gomes > Projeto UFBA > LPIC-1 > CPM Braxis > Tel : +55 71 3283 6102 > http://www.cpmbraxis.com >
